I had to do the following:
- Use PHP SDK's getLoginUrl only on the first page (ie. login/index) and remove it from all the other pages.
- Use FB.getLoginStatus() from the Javascript SDK and fallback to the FB.login() or a redirect to the login/index page
- Check the FB.getLoginStatus() before you attempt anything that might require a valid access_token
I'm convinced that the main issue was the fact that I called getLoginUrl on every single page.
Since I made these changes I only get the "CSRF state token" error in the logs when robots hit my pages.
